U.S. Serial No. 10/685,882 

Response to the Office action of January 8, 2008 

REMARKS 

Claims 1-32 are pending and at issue in the above identified patent application. Of the 
claims at issue, claims 1, 8, 15, and 23 are independent. In view of the following remarks, 
reconsideration and allowance of the application are respectfully requested. 

The Rejections under 35 U.S.C. § 103 

Claims 1, 3, 5, 6, 8, 10-12, 15, 17-21, 25-28, and 30-32 were rejected as being 
unpatentable over Rawson (US 6,128,223) in view of Mitchem (Using Kernel Hypervisors to 
Secure Applications), in further view of Lettvin (US 5,559,960). As explained below, the 
rejections are traversed. Reconsideration and withdrawal of the rejections are respectfully 
requested. 

As previously noted, claims 1,8, 15, and 23 arc generally directed to the initialization of 
a Virtual Machine Monitor (VMM), and the detection of an intrusion event. In particular, claims 
1, 8, 15, and 23 respectively recite, inter alia, "initializing a virtual machine monitor (VMM) in a 
processor system during a pre-boot phase," "instructions, which when executed, cause a machine 
to initialize a virtual machine monitor (VMM) in a processor system during a pre-boot phase," "a 
virtual machine monitor initialized from the firmware during a pre-boot phase," and "a processor 
being programmed to initialize the VMM during a pre-boot phase." As such, all of these 
recitations indicate that either a VMM is initialized during a pre-boot phase, or that a machine or 
instructions are programmed to do the initialization of the VMM during a pre-boot phase. 

Claims 1, 8, 15, and 23 were rejected as obvious over Rawson in view of Mitchem, and 
in further view of Lettvin. However, neither Rawson, Mitchem, nor Lettvin, either alone or in 
combination, teaches or suggests the initialization of a VMM to identify at least one of a network 
intrusion event and a physical intrusion event. 
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While the Supreme Court has rejected a rigid application of the "teaching, suggestion, or 
motivation" test, which required some teaching, suggestion, or motivation in the prior art that 
would lead one of ordinary skill in the art to combine the prior art elements in the manner 
claimed, the Court noted, however, that the analysis supporting a rejection under 35 U.S.C. 
§ 103(a) should be made explicit. More particularly, the Court noted that it was "important to 
identify a reason that would have prompted a person of ordinary skill in the relevant field to 
combine the [prior art] elements" in the manner claimed. KSR Int'l Co. v. Teleflex, Inc., 127 S. 
Ct. 1727 (2007). 

In the present action, the examiner has identified at least three different references that 
must be combined in order to support the rejection of the claims. Moreover, as will be discussed 
below, each of the references must be combined in a way that modifies the functionality of the 
reference teachings. While the examiner has identified at least a cursory reason for possibly 
combining the references, the examiner has failed to identify any reason as to how or why a 
person of ordinary skill in the art would look to modify the combined teachings as suggested. 
Accordingly, the applicants respectfully traverse the present rejections, and request 
reconsideration and allowance of the pending claims. 

In particular, Rawson is directed to the one time detection of a physical intrusion and fails 
to teach or suggest the initialization of a VMM. Furthermore, Rawson is limited to a physical 
intrusion detection and fails to teach or suggest a network intrusion detection. The failure of 
Rawson to describe a VMM is admitted in the Office action. In particular, the examiner admits 
that "Rawson does not explicitly disclose initializing a virtual machine monitor (VMM) in a 
processor system during a pre-boot phase." (Office action, Page 3). 
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To overcome the deficiencies of Rawson, the examiner attempts to utilize the description 
of Mitchem. In particular, the examiner suggests that "Mitchem discloses initializing a virtual 
machine monitor," and moreover it would have been obvious to modify Rawson by initializing 
the VMM as taught by Mitchem "in order to protect a user, browsing on the internet, from 
downloading and executing malicious active content that might damage the user's system." 
(Office action, Page 3). 

Mitchem, however, is directed to using operating system kernel hypervisors to secure 
applications. Specifically, Mitchem describes that the kernel hypervisor is "implemented on top 
of an operating system kernel." Mitchem, page 175, left column, paragraph four, lines 4-7. That 
is, the hypervisor of Mitchem is implemented during operating system runtime, which, of course, 
is not a pre-boot phase of operation. Further, contrary to the recitations of the claim, Mitchem 
describes that the hypervisors are "loadable kernel modules that intercept system calls to perform 
pre-call and post-call processing." Mitchem, page 175, right column, lines 6-8. That is, the 
modules of Mitchem are loaded into and are supported by the operating system, such as shown in 
figures 1 and 2 of Mitchem. Again, this is contrary to the recitations in the claims. 

As noted above Rawson is directed to the one time detection of a physical intrusion. No 
where does Rawson teach, suggest, or describe the need and/or desire to protect a user from 
downloading and executing malicious content with a kernel hypervisor. In fact, if one were to 
utilize such a system, one would most likely be motivated to utilize a firewall and/or intrusion 
detection system that is installed in the network and is described in the background of the current 
application. There simply is no reason why one of ordinary skill in the art, trying to protect a 
system from a physical intrusion would look to a kernel hypervisor to protect a user from 
downloading an executing malicious active content. 
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Still further, the examiner admits that the combination of Rawson and Mitchem does not 
isclose a VMM that is initialized during a pre-boot phase. (Office action, Page 4). To overcome 
the deficiencies of Rawson and Mitchem, the examiner suggests that " Lettvin discloses 
initializing a virtual machine monitor (VMM) in a processor system during a pre-boot phase", 
and moreover, it would have been obvious to modify Rawson and Mitchem "by initializing the 
VMM during a pre-boot phase as taught by Lettvin to provide a startup disk that causes the 
computer to automatically execute anti-virus software each time the computer starts from the 
disk, i.e., during bootstrap, so as to detect bootstrap time virus before or after they have executed 
and implanted themselves in the system." (Office action, Page 4; emphasis added). 

As previously noted, however, while Lettvin certainly does provide a startup disk that 
causes the computer to automatically execute anti-virus software each time the computer starts 
from the disk, Lettvin fails to describe the initialization of a VMM as suggested by the examiner. 
Furthermore, there is no indication of any motivation to combine Lettvin with either Rawson or 
Mitchem. 

The Court did not suggest that an examiner may ignore, or contradict, the teachings of the 
prior art when stating a case for obviousness. Rather, in determining obviousness, the proper 
analysis is whether the claimed invention would have been obvious to one of ordinary skill in the 
art after consideration of all the facts (35 U.S.C. 103(a)). Perhaps the most compelling of those 
facts are the teachings of the prior art at issue. When those teachings lead away from the 
proposed combination, then a prima facie case of obviousness has not been established. 
Additionally, the Court emphasized that "a patent composed of several elements is not proved 
obvious merely by demonstrating that each of its elements was, independently, known in the 
prior art." (Id. at 1741, and MPEP 2143). 
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As noted above, one of ordinary skill in the art would not have been motivated to 
combine the teachings of a physical intrusion detection system with a kernel hypervisor as taught 
by Mitchem. Still further, there would have been no motivation by one of ordinary skill in the 
art to further modify either the physical intrusion detection system of Rawson, or the post- 
operating system hypervisor of Mitchem to monitor a virus at start-up as described in Lettvin. 
Therefore, despite the suggestion by the examiner, there is no explicit reason why one of 
ordinary skill in the art would be motivated to combine the independently known elements of 
Rawson, Mitchem, and Lettvin, and thus, a prima facie case of obviousness has not been 
established. 

Accordingly, in view of the foregoing, the applicants respectfully submit that pending 
claims 1-32 are in condition for allowance and favorable reconsideration is respectfully 
requested. 

Conclusion 

If there is any matter that the examiner would like to discuss, the examiner is invited to 
contact the undersigned representative at the telephone number set forth below. 

The Commissioner is hereby authorized to charge any deficiency in the amount enclosed 

or any additional fees which may be required during the pendency of this application under 

37 CFR 1.16 or 37 CFR 1.17 or under other applicable rules to Deposit Account No. 50-2455. 

Please refund any overpayment to Hanley, Flight, and Zimmerman at the address below. 

Respectfully submitted, 
Hanley, Flight & Zimmerman, LLC 
150 South Wacker Drive, Suite 2100 
Chicago, Illinois 60606 

April 8, 2008 /Keith R. Jarosik/ 

Keith R. Jarosik, Reg. No. 47,683 
Attorney for Applicants - (312) 580-1 133 
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